A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a myriad of different services and communication protocols. Each of the different services and communication protocols exposes the network to different security vulnerabilities.
Conventional techniques for detecting network attacks use pattern matching. In particular, an intrusion detection system (“IDS”) applies regular expressions or sub-string matches to detect defined patterns within a data stream. Multiple patterns may be used in an attempt to improve the accuracy of the attack detection. In order to improve the probability of detecting an attack, the IDS may attempt to identify the type of software application and protocol associated with the data stream. Based on the identification, the IDS selects the appropriate patterns to apply in order to detect a network attack, which is used herein to include viruses or other malicious activity.
Conventionally, many IDSs associate applications with a static port assignment and used these static port assignments to determine the type of application and protocol associated with a given data stream. However, many hackers or other malicious individuals utilize software application that employ dynamic or randomized port assignments rather than conform to the static port assignments in order to evade detection and containment. Such techniques render it difficult for IDSs to correctly identify the type of application and protocol.